STR:

• open https://googlechrome.github.io/samples/vibration/ in Firefox on Android.

Expected:

• vibrations!

Observed:

• No vibrations.

This is because the call to navigator.vibrate() checks if the page has the "vibration" permission and ends up at https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/extensions/permissions/PermissionDelegateHandler.cpp#290

This returns DENY_ACTION if the permission is not explicitly set and there is no user prompt to switch it to ALLOW_ACTION.

Discussing with Anne, we should instead allow it for top level contexts and same origin iframes.

I'm not sure if that matches the expected semantics of PermissionDelegatePolicy::ePersistDeniedCrossOrigin or if we need a new policy (PermissionDelegatePolicy::eAllowToplevelSameOrigin ??) for that case.

WIP patch (no tests updated). If adding a new policy is the way to go, this patch works.

Discussing this with Andrea, it could use some product input as even letting first parties vibrate the page can be somewhat unsettling. It's not clear to me we properly evaluated all the risks of this feature when it was first shipped.

To me this looks like something that should require explicit user consent, because it has the potential to annoy the user. It might be particularly intrusive when they are using a different tab or a different app. We have a similar consent requirement for notifications, media autoplay, and cross-tab window.alert.

Why not allow it from the current active window though to have use cases like haptic feedback work out of the box?

From what I remember, the problem was that it would make it hard for users to distinguish between OS level notifications/vibrations and those coming from a web page (making web page notifications feel more authoritative than they actually are... like "<shake>We detected a virus! download our spamware!<shake>").

I understand that there are concerns here about malicious websites annoying the user, but for some of us building web apps it's frustrating that there seems to currently be absolutely no way to cause vibration: https://www.reddit.com/r/firefox/comments/m9zf65/obtaining_vibration_permissions/

It would seem reasonable for Firefox to use the same permissions mechanism as for playing audio. Chrome allows vibration after any interaction with the webpage, but this is arguably too lax.

For the time being, I'm forced to recommend another browser to my users. Which is a shame.

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.